Increasingly enterprises are faced with numerous internal users having different access requirements that span a large number of applications, networks, and systems. Maintaining the security of such modern dynamic enterprises is a critical and challenging task. In some industries, such as banking, the federal government has promulgated rules and regulations that require a certain degree of security. Thus, enterprises are not only concerned with their reputation but face potential civil liability for security breaches. The challenge lies in efficiently and securely provisioning system access to reflect constantly changing user responsibilities and computing environments.
Historic methods of manually granting individual user access on a resource by resource basis long ago proved administratively infeasible for organizations of even moderate size. Role Based Access Control (RBAC) systems advanced the art by attempting to secure and streamline user administration via constructing and maintaining a formal model of user privileges grouped into roles.
However, such models have scaled poorly because many users are unique; thus, resulting in role proliferation. For example, user diversity is often represented using new applications, departments, or systems, which are added to the enterprise security model. Where fine-grain role approaches are required, the number of roles may equal the number of users (or even exceed the number of user if users have many roles); therefore, the advantage of grouping is often lost. Application of policy rules as a complement to roles has allowed for greater flexibility and fewer generalized static role definitions. Nonetheless, the combination of increasingly complex Information Technology (IT) infrastructures, more diversified users requiring fine granularity access privileges, and growing numbers of users (including employees, subcontractors, partners, vendors, etc.) have shown that these conventional tools and processes to manage security are breaking down.
Consequently, what was considered a valuable security model for an enterprise has now become an administration and maintenance challenge.
Also problematic is the task of converting an enterprise to a role management system in the first place. Traditional role management systems are not conducive to the integration of existing systems to use roles nor do they provide the mechanisms necessary to allow multiple, disparate systems that are related only by the role information to add role functionality without affecting other applications using the role management system.
Accordingly, what is needed are mechanisms to better provision fine-grained role extensions without impacting existing role management systems.